Key Findings

• Transparent Tribe, a Pakistan-aligned hacking group, has embraced the use of AI-powered coding tools to mass-produce malware implants.

• The goal is to flood target environments with a "high-volume, mediocre mass of implants" using lesser-known programming languages like Nim, Zig, and Crystal.

• These malware samples rely on trusted services like Slack, Discord, Supabase, and Google Sheets to fly under the radar, a technique dubbed "Distributed Denial of Detection (DDoD)".

• The transition towards "vibeware", or vibe-coded malware, is seen as a regression in technical sophistication, but it allows the group to scale attacks rapidly.

• Large language models (LLMs) enable the threat actors to generate functional code in unfamiliar languages, either from scratch or by porting the core business logic from more common ones.

Background

Transparent Tribe, also known as APT36, is a Pakistan-aligned threat actor that has been active since at least 2013. The group has primarily targeted government entities, military organizations, and private businesses in India and neighboring countries.

Their latest campaign, as uncovered by researchers at Bitdefender, reveals a shift in their tactics towards leveraging AI-powered tools to mass-produce malware implants. This approach is designed to overwhelm target environments with a high volume of disposable, polyglot binaries, making it more challenging for traditional detection methods to keep pace.

Targets and Infection Vectors

The current campaign by Transparent Tribe is primarily focused on targeting the Indian government, its embassies in various countries, as well as select private businesses. The group has also included the Afghan government and some private organizations as secondary targets.

The infection vectors typically involve phishing emails containing malicious Windows shortcuts (LNKs) bundled within ZIP archives or ISO images. Alternatively, the group has been observed using PDF lures with prominent "Download Document" buttons that redirect users to attacker-controlled websites, leading to the download of the same ZIP archives.

Malware Toolset and Tactics

The malware samples employed in this campaign are characterized by the use of lesser-known programming languages, including Nim, Zig, and Crystal, as well as the reliance on trusted online services for command-and-control (C2) communication. This approach is designed to complicate detection efforts and fly under the radar of traditional security solutions.

Some of the notable malware components observed in this campaign include:

• Warcode: A custom shellcode loader written in Crystal, used to reflectively load a Havoc agent directly into memory.

• NimShellcodeLoader: An experimental counterpart to Warcode, used to deploy a Cobalt Strike beacon embedded into it.

• CreepDropper: A .NET malware that delivers and installs additional payloads, such as SHEETCREEP (a Go-based infostealer) and MAILCREEP (a C#-based backdoor).

• SupaServ: A Rust-based backdoor that establishes a primary communication channel via the Supabase platform, with Firebase acting as a fallback.

• LuminousStealer: A likely vibe-coded, Rust-based infostealer that uses Firebase and Google Drive to exfiltrate files.

• CrystalShell and ZigShell: Backdoors written in Crystal and Zig, respectively, that use Discord and Slack for C2 communication.

Conclusion

The transition of Transparent Tribe towards AI-assisted malware development represents a technical regression, as the resulting tools are often unstable and riddled with logical errors. However, the group's strategy of flooding target environments with disposable binaries presents significant challenges for detection and mitigation. This shift in tactics highlights the need for organizations to stay vigilant and adopt advanced security measures to counter the evolving threat landscape.

Sources

• https://thehackernews.com/2026/03/transparent-tribe-uses-ai-to-mass.html

• https://www.reddit.com/r/pwnhub/comments/1rmqg68/transparent_tribe_uses_ai_to_massproduce_malware/

• https://x.com/TheCyberSecHub/status/2029941662462693449

• https://www.reddit.com/r/cybersecurity/comments/1rmvxjt/transparent_tribe_uses_ai_to_massproduce_malware/

• https://www.instagram.com/p/DVjG2r3ga6K/